Re: WG Last Call (third time's the charm?) for SSH core drafts

[Darren Moffat <Darren.Moffat%eng.sun.com@localhost>]

>This was the proposed fix:
>
>    Normally, the server responds to this message with success or
>    failure.  However, the server MAY also indicate that the
>    request failed because the password must be changed by responding
>    with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.
>
>      byte      SSH_MSG_USERAUTH_PASSWD_CHANGEREQ
>      string    prompt (ISO-10646 UTF-8)
>      string    language tag (as defined in [RFC1766])
>
>    In this case, the client MAY continue with a different
>    authentication method, or request a new password from
>    the user and retry password authentication using the
>    following message. The client MAY also send this message
>    instead of the normal password authentication request
>    without the server asking for it.

That sounds okay to me, though I would rather that the "the server MAY"
be stronger: SHOULD or MUST.  I guess what I'm saying is that it either
is or isn't a failure making it a maybe opens up for different implementations
and potentailly different user experiences on different client/server
pairs.  I just want it to be clear that this is actually a failure condition.

Joseph, do you have this implemented on either side ?

--
Darren J Moffat